CVE-2021-41868
Description
OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to upload files on a non-public node when using the --receive functionality.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to upload files on non-public nodes using the --receive functionality due to missing authentication check.
Vulnerability
In OnionShare versions 2.3 to 2.3.3 (before 2.4), the receive_mode.py module processes file uploads before verifying Flask HTTP Basic Authentication. This allows unauthenticated file uploads on non-public nodes when using the --receive option. The issue was reported in GitHub issue #1396 [4] and detailed by IHTeam [2].
Exploitation
An attacker can send a POST request to the /upload or /upload-ajax endpoints without providing the required Authorization: Basic header. The file is stored on the remote system before authentication is checked. The attack requires network access to the Tor hidden service but no credentials.
Impact
An attacker can upload arbitrary files to the OnionShare node's filesystem, potentially filling storage or uploading malicious content. The upload is performed with the privileges of the OnionShare process. No authentication bypass is needed.
Mitigation
The vulnerability is fixed in OnionShare 2.4. Users should upgrade to version 2.4 or later [1][3]. No workaround is available; users should avoid using version 2.3.x for receive functionality until they can upgrade.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
onionshare-cliPyPI | >= 2.3, < 2.4 | 2.4 |
Affected products
2- OnionShare/OnionSharedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-7g47-xxff-9p85ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41868ghsaADVISORY
- github.com/onionshare/onionshare/compare/v2.3.3...v2.4mitrex_refsource_MISC
- github.com/onionshare/onionshare/issues/1396ghsaWEB
- github.com/onionshare/onionshare/pull/1404ghsaWEB
- www.ihteam.net/advisory/onionshareghsaWEB
- www.ihteam.net/advisory/onionshare/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.